Hey Splunkers,
Our securty team really likes the Identity Investigator dashboard. Only things is -- it would be GREAT to add a few more swimlanes of custom sourcetypes (for example, our DNS, Proxy...etc).
I see you can edit, remove, rename the default sourcetypes, but is there anyway to add a new one?
Looked at the code underneath and everything seems pretty hard-coded. Is there a best-practices approach?
Thanks!
Yes, if you make a new saved search with the right arguments and matching the naming convention, it will work. To see some some examples, try
find . -name savedsearches.conf | xargs grep Swimlane\] | grep -v Installer | grep -v old
If you are using ES 3.1 or later, then you can use the editor to make a new swimlane with whatever content you want. Go to "Configure" > "Custom Searches" > "New".
On ES 4.0+ , the same is now available as part of 'Configure->Content Management-> New '
Yes, if you make a new saved search with the right arguments and matching the naming convention, it will work. To see some some examples, try
find . -name savedsearches.conf | xargs grep Swimlane\] | grep -v Installer | grep -v old
VERY Helpful. Would have never figured this out on my own.
Thank you for showing me this example. I'll work on implementing this soon -- provide more information, questions as they come up.